Why do many open source projects require Sign Off? The username and email address have already been configured in Git. What is the significance of signing again?
In addition, how to perform Sign Off operation? Is it enough to add a line at the end of the submission description, or during the Pull Request, or is there any other method that needs to be used?
大家讲道理2017-05-02 09:27:58
First, distinguish between sign-off and signature. @nightfire has explained the signature. Let me explain (translate) the meaning of sign-off.
I have not seen "many open source projects require" sign-off. The most famous is the linux kernel. Its documentation says this:
11) Sign your work
To improve tracking of who did what, especially with patches that can
percolate to their final resting place in the kernel through several
layers of maintainers, we've introduced a "sign-off" procedure on
patches that are being emailed around .
Because in the development process of Linux, they do not use the "pull request" created by GitHub, but send patches through (distributed) email (so git has pretty good support for email). When patches are sent back and forth, you need to keep track of them, otherwise it will be bad like BSD experienced and affect the development. "Signed-off-by" is actually a statement that you guarantee that the patch you send complies with the points in the "Developer's Certificate of Origin 1.1".
Someone on StackOverflow said that this is only a requirement of a few projects, and most projects do not use sign-off.
PS: If you look at kernel commits, sometimes you can see a commit with a long list of sign-off. How can only one committer and one author be enough in this case?
PHPz2017-05-02 09:27:58
The simple answer is For you to prove that you are you!
Generally, when submitting, there will be two information: author and committer, usually one person (private project, shared central repo).
In the era before Github (for example, Git was first used for collaborative development of Linux Core), the pull request that everyone is now accustomed to is not so simple to handle. At that time, patches were often used for distributed development. For example, you sent your submission (author information was generated at this time) to the project manager/maintainer as an email attachment, and then he/she merged it into the central library ( This is the committer information generated)...
However, neither the author nor the committer can essentially prove that the "person" is the real person who did that thing. Because it is too easy to know the name and email of a developer. Can a patch sent as an email attachment prove that the author is you? Can the person who receives the email and merges it be sure that he is the committer? (Assuming a project has multiple managers/maintainers)
So, people who value this will use GPG keys for secure signatures, which is what you asked about Sign Off. It is actually an electronic signature. Many email clients also use this for digital signatures.
I tried to make it as simple and clear as possible, but in fact there are more details than you imagine. If you are interested, you can read this article: A Git Horror Story: Repository Integrity With Signed Commits, and this article also Not done yet with everything related to Sign Off.
Another point of concern is this, many projects will have licenses, right? But you may use third-party code in your project, and it is possible that the licensing policies of these codes are mutually exclusive/conflict with the license of this project. If it is an open source project (as you asked), you will pay more attention to this aspect (do you want others to sue you?). Git's Sign Off can be accurate to the line, which is a verification of the true source of the code (although the reliability is questionable, it is better than nothing...). I won’t go into details about this, I just heard a little bit about it.
If you want to use a signature, you need to follow the simplest three steps (based on Mac):
You need the gunpg program, Mac can use homebrew to install it:
You need to generate your GPG key, the process is omitted, it is in the above article, after it is generated, it will look like this:
You need to tell Git what your key ID is (because you can have multiple keys at the same time):
`git config --global user.signingkey KEY_ID`
这个 ID 就在第二步列表里可以找到
Okay, from now on git commit
命令里加上 -S
(note the capitalization), your digital signature will be automatically attached when submitting. You are who you are and refuse to be counterfeited!
According to @Evian's tip, --sign-off
和 --gpg-sign
is different. This has historical reasons. If you are interested, you can read the comments in her answer. Answers quoted below from Google search:
-s adds a "signed off by" field to the commit. -S actually GPG signs the commit, which was added in git 1.7.9. Also, this does not sign all commits, but only those which are made by the user directly using the git c command. In a rebase, when new commits are created, this will not sign off on (or PGP sign) the commits, unless you do an interactive rebase and manually commit every change.
-S
可以两个一起做了,这是前面答案里推荐使用此选项的原因。所以 --sign-off
只是署名,而 --gpg-sign
is signed using GPG key.
OK, wrong again... -S
You can't do both at the same time. If you want both signature and signature, you have to use both together.